Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4310

Certificate profile key length restriction ignored when creating CA

    Details

    • Issue discovered during:
      Customer

      Description

      When creating a new CA with a customer certificate profile which restricts the key length to a specific size, this restriction is completely ignored. I.e. if the key length in the profile was set to only 4096, if the user provides a key of length 2048, EJBCA will still issue a certificate.

      The bug happens when using the "CA Functions" -> "Certification Authorities" -> "Add CA", just to emphasize (I don't think end entity sub CAs are getting affected).

      Reproduction steps:

      1. Create new certificate profile, based on "ROOTCA", calling it "TestRootCA".

      2. Edit the "TestRootCA" certificate profile, setting the available key lengths to "4096".

      3. Create a crypto token called "TestRootCA" (soft token will do).

      4. Create signing RSA key, length 2048, in crypto token TestRootCA with named "signKey", 1024 RSA key named "testKey", and 2048 RSA key named "defaultKey".

      5. Create a new CA, using the "TestRootCA" certificate profile and crypto token "TestRootCA" (signKey as signing key, defaultKey as default key, and testKey as test key).

      Expected results:

      1. An error is shown to the user, stating that the key length for signing key used for CA does not comply with certificate profile restrictions.

      2. CA is not created.

      Actual results:

      1. CA is created.

      2. Resulting CA has a self-signed certificate with 2048 public key.

      Additional notes:

      The default software token that gets created will sport 2048 RSA keys too, as a side-note. I have also been able to renew these root CAs with differing key sizes (compared to what is specified in profile).

      In a way, the certificate profile should serve as a bit of a parachute in case an operator creates wrong key size, and this behaviour eliminates this useful restriction. That is why I have set the bug to critical (i.e. don't need it immediately, but it's a bit of an ugly bug).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johan Johan Eklund
                Reporter:
                branko Branko Majic (Inactive)
                Verified by:
                Mike Agrenius Kushner
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: